We have a veritable cornucopia of Apple-related articles this week, anchored by Matt Neuburg's exploration into a tricky font cache bug that can cause seemingly random text to be displayed. Doug McLean reports on a serious vulnerability in Adobe's Flash and looks at Apple's update to Logic Studio. Glenn Fleishman reviews the new Skype 2.8 for Mac, which includes a limited screen sharing capability and per-minute Wi-Fi access at numerous hotspots. And Jeff Carlson delves into Apple's record-setting Q3 profits. We're also pleased to announce a new version of Joe Kissell's "Take Control of MobileMe." Notable software releases this week include Final Cut Pro Studio Update, iPhoto2Twitter 1.5, and Sandvox 1.6.3.

Adobe Warns of Critical Flash Vulnerability

Adobe has announced that a critical security vulnerability exists in the latest versions of Flash Player (v.9.0.159.0 and v10.0.22.87) for Mac OS X, Windows, and Linux, as well as in the authplay.dll component embedded in Adobe Reader and Acrobat v9.x for Mac, Windows, and various Unix operating systems.

The vulnerability could cause a crash that could be exploited by an attacker to gain control of the affected system, and in fact, this weakness is currently being exploited in the wild, though only in limited attacks directed at Adobe Reader 9 for Windows. An attacker could exploit this vulnerability by convincing users to visit a Web site that hosts a malicious SWF file, or by creating a PDF document that contains an embedded SWF file.

Adobe says it expects to release a fix for the Flash Player vulnerability by 30-Jul-09, and for Adobe Reader and Acrobat by 31-Jul-09. In the meantime, the company suggests Flash Player users use caution in visiting untrusted Web sites, though the only surefire way to avoid problems is by disabling Flash. For directions on disabling Flash in a variety of places and in different operating systems, see US-CERT's Vulnerability Note VU#259425. If you use Firefox, you can use the NoScript plug-in to whitelist Flash content on specific Web sites; if you use Safari, turn to Click to Flash.

$1.23 Billion Profit Highlights Apple's Q3 2009

Apple reported "record non-holiday quarter revenue and earnings" for the third quarter of its fiscal 2009, boasting a profit of $1.23 billion on revenue of $8.34 billion, or $1.35 per diluted share. (Those numbers compare to a profit of $1.07 billion on revenue of $7.64 billion in the year-ago quarter.) The results were bolstered by strong sales of laptops, iPhones, and the iPod touch, even as sales of traditional iPod models declined. (For accounting purposes, Apple's year ends 27-Sep-09.)

Apple sold 2.6 million Macs, up from 2.2 million in the second quarter of 2009. The company doesn't report sales by model type, but in its quarterly earnings conference call, Chief Financial Officer Peter Oppenheimer said that portables are now two-thirds of all Mac sales. The entire MacBook lineup was refreshed in June, which accelerated sales according to Oppenheimer (see "Apple Refreshes MacBook Line at WWDC," 2009-06-08).

The iPhone, not surprisingly, was a strong performer. Apple sold 5.2 million iPhones during the quarter, though Apple didn't reveal how that number breaks down into iPhone 3G and iPhone 3GS sales. However, Oppenheimer said that the company can't yet make iPhone 3GS units fast enough to fulfill demand. Chief Operating Officer Tim Cook also noted that almost 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones, while some large corporations and government organizations have bought more than 25,000 units each.

Because Apple accounts for iPhone (and Apple TV) revenue over the course of the devices' estimated lives, the revenue figures don't include all money from actual sales. The non-GAAP (Generally Accepted Accounting Principles) results - money actually coming in - shows a $1.94 billion profit on revenue of $9.74 billion. It's also worth noting that Apple didn't recognize iPhone revenue between 17-Mar-09 (when the iPhone OS 3.0 was announced) and 17-Jun-09 (when the software was released).

The iPod touch was particularly popular during the quarter, growing 134 percent over last year. However, the gains were offset by declining sales of other iPod models, leading to overall sales of 10.2 million iPods, a 7 percent decline from the previous year's quarter. The company expects iPod touch sales to increase in the fourth quarter, an indication that the device will be updated (iPods have traditionally seen updates in that time period).

"Take Control of MobileMe" Updated for iLife '09,
iPhone

Apple's MobileMe offers a wide range of services that can easily justify its $99-per-year price tag, but only if you are clued-in enough to take advantage of everything it provides. The new version 1.1 of "Take Control of MobileMe," by Joe Kissell, provides 124 pages of MobileMe goodness, teaching you about core features such as email, sharing photos and movies online, managing contacts, tracking your calendar, sharing files via your iDisk, and more. When Joe started writing this new version, his primary goal was to fold in new steps relating to iLife '09, but just as he was wrapping up, Apple released iPhone OS 3.0, so Joe was able to integrate iPhone OS 3.0 details as
well. In particular, Joe explains the Find My iPhone feature, and he's written as much as he can about mobile iDisk access prior to Apple's release of the iDisk app.

If you or someone you know would benefit from getting more out of MobileMe, check out this $10 ebook.

Version 1.1 is a free update from version 1.0. If you own version 1.0, look in your email for an update notice with a download link or open your PDF to the cover (page 1) and click the Check for Updates button to access your free download.

If you own Joe's older "Take Control of .Mac," you can update for free from the second edition (from page 1, click Check for Updates; then click the Blog tab and look for your download). If you have only the first edition of "Take Control of .Mac," look for a discount update offer on your Check for Updates Web page (in the Downloads tab). In both cases, you may also have an email message that contains update information.

Skype 2.8 Adds Screen Sharing, Per-Minute Wi-Fi

Add Skype 2.8 to the list of programs that let you remotely observe another computer's screen. The latest Mac OS X-compatible release of the Internet telephony and video chat program brings remote viewing of a buddy's screen, along with an interesting per-minute fee for Wi-Fi access at commercial hotspots. Both features are available in release versions only for the Mac; the current Windows 4.1 beta offers screen sharing.

Screen Sharing -- Skype 2.8's screen sharing lets you share your screen with a buddy, who can only observe, not interfere (consider the Prime Directive!). This may be enough for demonstrating a point or answering a question, but insufficient for technical support or collaboration.

Instead of requiring that you share an entire screen, Skype's approach lets you share just part of a screen via a floating window that you can resize during an active session. You initiate screen sharing by selecting a buddy, and then choosing Share Full Screen or Share Selection from the Call > Share Screen menu. You can also initiate screen sharing if you're already in a session with someone from the gear pull-down menu.

In our testing, Skype's screen-sharing feature worked - even during the beta period - when iChat was incapable of starting a screen-sharing session no matter which party initiated and who had control. (iChat screen sharing always adds control to the party viewing a screen, just like LogMeIn Free for Mac. Timbuktu Pro has observe and control modes, with separately configurable permissions.)

Hotspot Access -- Skype 2.8 also brings Wi-Fi hotspot access for your Mac at for-fee locations around the world, paid by the minute from credit in your Skype account. Skype Access, as the feature is called, works with what Skype says are 100,000 hotspots worldwide, enabled by Boingo Wireless.

When you're at a hotspot supported by the software, a message appears offering you access. I've seen this pop up in Starbucks, which is operated by AT&T as part of about 20,000 U.S. locations the telecom firm serves.

Rates are insanely high: in U.S. currency, it's 19 cents per minute, or in the euro zone, 14 euro cents per minute (value-added tax may be added depending on country). That's $11.40 per hour (plus tax), which contrasts unfavorably to day rates of $4 from AT&T throughout its U.S. network and as much as $30 per day in the most expensive European hotels. Hotels and airports more typically charge $8 to $15 per night. Boingo charges its direct subscribers $10 per month for unlimited access in North America, and $59 per month
for 2,000 minutes per month of usage worldwide. Neither plan requires a commitment beyond one month.

For casual use, such as 5 to 10 minutes of hopping on at a given location, Skype's pricing relative to most day rates is far more worthwhile.

Skype also claims that voice and video quality have been improved in the latest release, but I haven't seen a difference in my use.

Apple Revamps Logic Studio

Apple has released a major update to its professional sound and music editing bundle, Logic Studio. The latest version includes Logic Pro 9, MainStage 2, Soundtrack Pro 3, Compressor 3.5, and WaveBurner 1.6. While Apple boasts of over 200 new features, a handful of those make Logic Studio's refresh notable.

Saving Time and Energy -- Logic Pro 9 adds a set of features collectively called Flex Time that is designed to save you time and effort by simplifying complex timing and tempo editing. Chief among these tools are Flex Tool and Audio Quantize.

Flex Tool enables you to drag and push portions of the waveform audio anywhere you please while avoiding the tedious and aggravating splicing normally required by such a task.

Audio Quantize lets you conform an audio region to a musical grid or other track to correct or improve its rhythmic qualities. For example, if your guitar player nailed his solo but was a little off-tempo somewhere in the middle, you could target just those notes that fall off the beat, and put them where they need to be.

Undoubtedly these sorts of corrective tools will have musicians from past eras grumbling, but they're sure to please today's struggling amateurs.

Guitar Gods in Mind -- One of the main aims of this upgrade is the expansion and improvement of guitar tone virtualization. The update introduces a feature called Amp Designer that enables guitarists to mix and match 25 different amp models with 25 different speaker cabinets, and to record the resulting setup with one of three different virtual mics.

Additionally, users now have access to 30 stompbox effect pedals via the Pedalboard feature, and can combine as many as they please to create dense and complex guitar tones.

Finally, with support for Apogee GiO, users can control Pedalboard hands-free via a new USB audio interface and control device in both Logic Pro 9 and MainStage 2 (an essential feature given that guitarists usually have their hands full).

Going Live -- MainStage, Logic Studio's live performance program, gets two new plug-ins for expanded performance options. Playback does what it sounds like, playing back pre-recorded tracks when triggered with a USB or MIDI controller. It's aimed at solo performers looking for hands-free on-the-spot integration of backing vocals or music.

The other new plug-in is Loopback, which functions as a common looping station that enables musicians to record a live track and add new layers to that track with each subsequent pass of the loop (Loopback reportedly functions similarly to the EchoPlex tape-based loop device that was popular in the 1970s).

Production Tools -- In addition to the snazzy new features listed above, the refreshed Logic Studio also introduces a host of substantial production tools designed to improve overall performance and control. New production features include Selective Track Import, which enables you to move specific tracks and setups between projects; Drum Replacer, which enables you to easily swap out unsatisfactory drum tracks with triggered samples; new notation and chord grids for creating guitar tablature and scores; and expanded editing capabilities within your Take Folder.

Logic Express -- Logic Express 9 adds Flex Time features to the stripped-down introductory audio package, as well as production tools such as Selective Track Import, Bounce-in-Place rendering, and notation and chord grids. Also added is the Amp Designer, Pedalboard, and Apogee GiO support.

Just the Facts -- The new Logic Studio costs $499, and requires that you're running Mac OS X 10.5.7 or later on a Mac with an Intel processor. Upgrades from the previous Logic Studio, Logic Gold 5, Logic Platinum 5 and their succeeding Gold, Platinum, and Pro editions cost $199. Logic Express owners can upgrade to Logic Studio 2 for $299.

Logic Express 9 costs $199, with updates from prior Logic Express versions or Big Box costing $99. It, too, requires Mac OS X 10.5.7 or later on a Mac with an Intel processor, and is due to ship in August 2009.

Cause of Font Cache Bug Revealed?

The other day I was using TextMate to run a simple Ruby script and an odd thing happened: the script suddenly started producing nonsense. There was nothing really wrong with the script itself, but TextMate appeared to have lost its mind; instead of showing me the actual string resulting from the script, like "ogopogo," it was omitting some of the letters, like "gpg." I restarted the computer and everything was fine after that. But I was left wondering what the heck had just happened.

I posted a query to the TextMate users newsgroup, and someone responded: "WebKit is used to render the HTML output window, and it has been known to behave strangely from time to time. Another possibility is that your font caches had become corrupted. Either of these problem could have been corrected by a reboot." Oh, yes, the font cache bug. I'd forgotten all about it, and I certainly had not connected it with TextMate's output. But I did know about the font cache bug. Indeed, I had referred to it implicitly, years before, in my review of Smasher (see "Insider Smashes Suitcases," 2005-09-26).

The Mac OS X font cache bug is an intermittent misbehavior of fonts on Mac OS X, typically affecting any application that displays Web pages with the built-in WebKit engine (Safari, OmniWeb, TextMate, BBEdit, and CSSEdit are examples). The bug can also mar the display of PDFs, I believe. A quick Google search turns up some pages that talk about it, including this one which provides some images of a corrupted Web page display, and a YouTube video showing characters randomly disappearing and reappearing (much like what I was experiencing myself). Rob Griffiths mentions the bug in a recent Macworld article. And, going back further in time, John Gruber had an extensive series of articles about it in 2005.

The occurrence of the font cache corruption bug on my machine has been less frequent in recent years; indeed, I'm not certain I've ever seen it on Leopard (I was using TextMate on Tiger when the bug struck me). Still, the question remains as to what actually triggers the bug.

Now it appears there's an answer. The problem seems to be caused, as one might expect, by a combination of two things: badly behaved fonts, and Apple's font caching mechanism. But in what way are the fonts badly behaved, and what's wrong with the font caching mechanism? The details come from an unexpected quarter of the Mac OS X world: the users of TeX.

TeX (pronounced "tech"), for those who don't know, is a typesetting program by the venerable Donald Knuth. It's often used for the production of scientific and mathematical books and papers. There are various Mac OS X TeX implementations, and it was while I was glancing over some Web pages connected with these, reading about TeXShop and MacTeX, that I noticed a link to a page about the font cache bug. I read the page, and my jaw dropped. Brilliant and determined detective work by some TeX power users has recently laid the blame for font cache corruption at the door of a TeX utility called
pdftex, which lies at the heart of TeX implementations because it is used to pipe the TeX output directly to a PDF. If you receive and open a PDF that was created with pdftex, you run the risk of triggering the font cache bug on your machine.

Here's why (and now I am basically just quoting from the explanation by Richard Koch, the creator of TeXShop). A PDF file contains embedded copies of the fonts that it uses. Those copies consist of mathematical instructions for drawing the font's characters (that's what PDF is all about). These mathematical instructions are often expressed, in part, as PostScript subroutines for drawing partial shapes used by multiple characters, like this:

Now, you may not be able to read that (how many of us are fluent in PostScript?), but it turns out that there's a bug in that subroutine. After the "endchar" line, the routine is supposed to have a "return" statement, and it doesn't. These subroutines were being incorrectly formed by the then-current version of pdftex.

However, the incorrectly formed subroutines had no obvious manifestation in the resulting PDF file, because pdftex was forming them incorrectly only in the case of characters which, while part of the font, were never used in that particular PDF. For characters that were being used in that PDF, pdftex was forming the subroutines correctly. Thus, the issue could never be directly detected.

But here's the problem: When such a PDF was opened on Mac OS X, Apple's font caching mechanism came along and stored these subroutines anyway - that's why it's called font caching! - so it would know how to draw those characters of that font if it encountered them later. So if it did encounter those characters of that font later, these subroutines would be called, and since the subroutines were corrupt, the font's drawing procedures would be wrong.

So the bug was being triggered by opening a "bad PDF," but it had no effect on the "bad PDF" itself; it was only later, if other characters of the same font happened to be used anywhere in the system where the font caches were called upon (such as through Preview or a WebKit-reliant application), that the corruption would manifest itself. And you know something? Sure enough, when I saw the problem in TextMate, I had been reading a TeX-generated PDF file earlier that same day.

What's the upshot for you, the end user? First, you may acquire, or may already have on your machine, the occasional "bad PDF" file, and if you open it, this might trigger the font cache bug, which will manifest itself as character corruption later on until you restart the computer or otherwise rebuild the font caches. You may be able to identify these by doing a Spotlight contents search for "pdfTeX" (if you sort the results by Kind, remember that a PDF can be listed either as an "Adobe PDF Document" or as "Portable Document Format"). A more specific search, avoiding PDFs that merely mention pdftex, would be "Encoding software contains pdftex." (On accessing the "Encoding software" search criterion through the "Other" pop-up
menu item, see my "Spotlight Strikes Back: In Leopard, It Works Great," 2007-11-01.) You can't fix a "bad PDF," but at least you'll have some notion of which PDF files might trigger the bug.

Second, it's perfectly possible that there are other causes of font cache corruption besides PDF files generated with TeX, so let's not heap all the blame on the TeX users - after all, they're the ones who found the source of the problem in pdftex.

Third, newer PDF files generated with TeX are unlikely to cause the problem, because the TeX folks have also fixed the problem in pdftex.

Fourth, Apple changed the font caching mechanism in Leopard, but it looks like the problem can still occur (though it seems to me that it occurs less often). In any case it is ultimately up to Apple to rewrite its routines to deal more robustly with bad fonts; now that the TeX power users have been able to show Apple exactly how the bug is triggered, perhaps Apple will be able to correct it.

TidBITS Watchlist: Notable Software Updates for 27-Jul-09

Final Cut Pro Studio Update from Apple is a major update to the professional-grade video and audio editing bundle, which includes the new Final Cut Pro 7, Motion 4, Soundtrack Pro 3, Color 1.5, Compressor 3.5, and DVD Studio Pro 4 (which hasn't been updated in four years!). Final Cut Pro 7 sees the addition of three new versions of the ProRes codec, which bring faster and higher-quality editing capabilities; support for burning projects to Blu-ray discs; and iChat Theater support to make sharing within collaborative efforts easier. Motion 4 adds three-dimensional shadows and reflections, new depth-of-field capabilities, and added text-titling tools. Soundtrack Pro 3 adds a new Voice
Level matching option that enables users to ensure that voice levels are consistent throughout a project, an improved audio file editor with drag-and-drop capabilities, enhanced noise reduction tools, and new multi-track editing tools. A full list of changes is available via Apple's Final Cut Studio page. Apple also dropped the price tag by $300 and the upgrade fee by $200. ($999 new, $299 upgrade)

iPhoto2Twitter 1.5 from Blue Crowbar Software is the latest version of the iPhoto plug-in that lets you share your pictures via Twitter. The update extends the plug-in's sharing capabilities (previously it worked only with TwitPic, and could share only photos) to Mobypicture, an online service that enables you to upload photos and movies once, and then, from there, to share them across a wide swath of social media sites. Sites supported by Mobypicture include Twitter, Facebook, YouTube, Flickr, Blogger, Vimeo, WordPress, LiveJournal, Tumblr, Jaiku, Hyves, and Brightkite. (4.95 euros, free update, 230 KB)

Sandvox 1.6.3 from Karelia Software is a maintenance update to the template-based Web site creation tool. The latest version provides full support for Safari 4 and Safari 4 WebKit and preliminary support for Snow Leopard. The update also fixes an issue that occurs when dragging documents directly into a Sandvox document to create new pages, enhances the content of the Movie Page RSS feeds, improves media handling, and rolls in the latest Karelia iMedia Browser framework. ($57 Regular/$97 Pro, free update, 26.4 MB)

ExtraBITS for 27-Jul-09

10 Years of AirPort -- Apple introduced AirPort Wi-Fi networking just about 10 years ago at Macworld Expo New York, and you can once again see Phil Schiller jumping from a platform onto an inflatable pad while holding the original iBook. Steve Jobs notes in the keynote that Apple worked over 18 months with Lucent to develop the system, which explains why AirPort performed better than any other 802.11b systems for years to follow. (Posted 2009-07-24)

Apple Claims 91 Percent of Premium PC Market Revenue -- BetaNews analyzes a startling NPD Group research report showing that, in June 2009, Apple earned 91 percent of the market revenue for computers priced over $1,000, up significantly from 66 percent in Q1 2008. This is largely because the average Windows-based PC price is $515, whereas the average Mac price is $1,400, but all the major PC makers also produce premium PCs too, and Apple is clearly eating them for lunch. (Posted 2009-07-24)

AT&T Admits iPhone Exclusivity Will End -- AT&T's CEO admits at a conference that "a day in the future" the firm may not be the only U.S. carrier to offer the iPhone. He also tries to brush off network problems, and claims he's an iPhone abuser when he travels to find problems "with Web surfing, app using, and emailing" - because none of his subscribers do those things, of course. (Posted 2009-07-23)

David Pogue Takes Cell Phone Carriers to Task -- New York Times columnist David Pogue quickly dispenses with the question of why there isn't an iPhone that works with Verizon Wireless. Then he pulls no punches as he lays out five questionable business practices on the part of U.S. cellular carriers. Forward this one to your elected representatives! (Posted 2009-07-23)

Clearwire Will Release Mac Drivers for WiMax Service -- Clearwire says it will provide Mac OS X drivers for its so-called fourth-generation (4G) WiMax wireless network service on 17-Aug-09. So far, Clearwire's multi-Mbps network is available only in Atlanta, Baltimore, Las Vegas, and Portland, OR. (Posted 2009-07-21)

Universal Integrates Blu-ray Disc and iPhone App -- Macworld reports on Universal Studios Home Video's forthcoming Blu-ray release of "Fast & Furious" that will enable users to control a special disc feature via an iPhone app, marking the first integration of Blu-ray and the iPhone. While the feature isn't mind-blowing - controlling 360-degree views of cars and viewing their specs - Universal plans in the future to enable users to control playback, access film information, and even chat about the movie via Twitter and Facebook. (Posted 2009-07-21)

Barnes & Noble Offers Ebooks without Reader Hardware -- Barnes & Noble has opened up the electronic book market a bit with 700,000 titles (500,000 from Google Books) that can be read with eReader software for Mac OS X, Windows, iPhone, and BlackBerry. Best-sellers are priced at $9.99. The firm's books can be read on the forthcoming Plastic Logic eReader, but not via the Sony Reader or Amazon Kindle models or Kindle software. (Posted 2009-07-21)

Communicating with unsecured networks -- What began as a discussion of how to notify people with unsecured Wi-Fi networks turns into an examination of the strengths of various router security measures. (23 messages)

Taking notes on presentations -- Is there a utility that lets you take notes with time stamps on presentations? Pear Note is the leading contender. (3 messages)

Mac Pro and Two Different Size Monitors -- Is it possible to mirror two displays that are different sizes? Yes, but not quite in the way that the poster would like. (5 messages)

Screen to video capture software? A reader looks for a good screencasting program. (4 messages)

This is TidBITS, a free weekly technology newsletter providing timely news, insightful analysis, and in-depth reviews to the Macintosh and Internet communities. Feel free to forward to friends; better still, please ask them to subscribe!

Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. TidBITS ISSN 1090-7017.